The Hacker News headline exclaimed “Hackers Cause World’s First Power Outage with Malware.”
The story detailed how hackers used highly destructive malware to impact three regional power authorities in Ukraine causing blackouts two days before Christmas. According to a Ukrainian news service TSN, the outage was the result of malware, the “BlackEnergy” trojan that disconnected electrical substations.
The BlackEnergy Trojan was first discovered in 2007 initially to conduct DDoS attacks and was later updated to add a host of new features including a component called “KillDisk” and a backdoored secure shell (SSH) utility that gives hackers permanent access to infected computers.
KillDisk enabled the BlackEnergy malware to destroy critical parts of a computer hard drives and sabotage industrial control systems. The hackers used backdoors to spread the KillDisk module through booby-trapped macro functions embedded in Microsoft Office documents across the Ukrainian power authorities. It is believed that the initial point of infection with BlackEnergy was caused by employees opening these Microsoft Office files containing malicious macros.
Protection on the Horizon
The nation’s electric power grids are arguably the most important assets to protect from cyber attacks. Beyond following minimum guidelines, there are innovative and proven solutions that focus on understanding the relationships between computers, computer networks and the electric grid so those responsible can identify and quantify failure scenarios. This is proving to be an effective technique for mitigating risks and maximizing protection of this critical infrastructure.
Consider the joint initiative that UNCC and Waverley Labs performed with Duke Energy for grid network modeling and risk management related to threat scenario identification and related cyber vulnerability/threat quantification, prioritization, and response. The collaboration leveraged highly automated, patent pending analysis that integrates IT systems and cyber security data with critical operations data and prioritizes risks to critical energy infrastructure such as power grids. This new intelligence enables energy companies to quickly model consequences and quantify business impacts associated with each risk. The solution is soon to be evaluated by other power companies as well as a growing number of large government agencies seeking to protect highly critical IT infrastructure.
Other solutions being tested to protect power grids include new technology, software defined perimeters (SDP) that emerging and serve as the first layer of a new security paradigm that establishes an undetectable application infrastructure. This undetectable application infrastructure is often referred to as the “Black Cloud.” The primary objective of the SDP is to make the application infrastructure effectively “black” or undetectable that shows no domain name system (DNS) information or IP addresses. SDPs are already being deployed by large organizations that have been developed in house such as Coca-Cola and Mazda, and the industry’s first open source version for the Department of Homeland Services.
What is unique about the SDP specification is that it has evolved from a standardized “Need-to-Know” access model that has been deployed within the DoD that prevents the use of backdoors from unauthorized users and devices to new version that addresses todays changing network perimeter. It enforces device verification before authentication that was first published by NSA a decade ago but never commercialized. It promotes the use of Mutual TLS (Transport Layer Security), which is a great idea and standard that has yet to be widely adopted. The result is the elimination of denial of service, wireless and network attacks, and the top ten OWASP application attacks that have plagued companies for decades and continue to with ever increasing intensity.
Stay tuned and watch this space for additional guidance on a variety of new cyber risk quantification procedures and knowledge-based analytical frameworks for digital risk management.